cphaprob -d problem -s problem report  !! Performed on active firewall to failover
cphaprob -d problem unregister !! Unregister the problem

Notes:

  • The best place to perform a failover is within the policy. This is for temporary failover purposes. After removing the problem, if the configuration has not been updated, it is likely the firewalls will fail back.

[ # ]

cphaconf set_ccp multicast   !! Use Multicast (default mode, most efficient)
cphaconf set_ccp broadcast   !! Use Unicast

cphaprob -a if    !! Verify current mode and monitored interfaces

Documentation

[ # ]

!! Most SPLAT Devices
echo "<NAT-IP> <Physical-Interface-MAC-Address>" >> $FWDIR/conf/local.arp

!! SPLAT Devices with VMAC mode enabled
echo "<NAT-IP> <Virtual-MAC-Address>" <Physical-Int-IP> >> $FWDIR/conf/local.arp

Notes:

  • AutoNATs normally do not require a proxy arp. Ensure "merge manual proxy arp configuration" is enabled in the Global Properties -> NAT

[ # ]

useradd -u 0 -o -g 0 -m <username> -s /bin/rbash

[ # ]

ethtool -s <interface> speed <speed ie 100> duplex <duplex> autoneg off  !! Modify interface speed

config conn set local <ip>/<cidr> name <interface>  !! IP an interface
config conn add type vlan local <ip>/<cdir> vlan-tag <vlan-tag> dev <physical-int-name>  !! Create sub-interface with vlan
config conn del name <vlan-int>  !! Delete sub-interface

!! Configure monitoring of interface for failover (add/delete required interfaces, 1 per line)
cpstop
vi $FWDIR/conf/discntd.if
cpstart

[ # ]

  1. Create a UTM-1 Edge Gateway Device
    a. Configure the name
    b. Click “Edit Registration Key” button and generate a random key (this will not be used again so no need to save the key)
    c. Make sure that “Externally Managed Gateway” is checked. If not, this will count against the management server’s licensed devices
    image001.png

  2. Configure the topology and encryption domain of the device
  3. Select “IPSec VPN”
  4. Click “Add” under the “Repository of Certificates Available to the Gateway”
    a. Provide a Nickname for the certificate
    b. Leave the “CA to enroll from” the default (if using the Management server’s Certificate Authority)
    c. Choose the “Generate Option
    img002.png
    d. Leave all the defaults for the DN and choose “Ok” to generate the certificate
    img003

  5. You should now see a certificate in the Repository of the Gateway
    img004

  6. Select “View” to view the certificate and copy the “Subject” (DN) of the certificate:
    image005

  7. Choose ok
  8. Choose the “Matching Criteria” button
    a. Select “internal_ca” from the CA drop down (unless using another Certificate Authority”
    b. Check the “DN” option and paste the DN from step 6
    c. Hit ok
    image006

  9. Select “Ok” to save the object
  10. Reopen the gateway object and go back to “IPSec VPN”
  11. Select “Export p12” and choose a password for the certificate (remember this password as it will need to be provided to the remote side)
    image007

  12. Send the password and the p12 file to the remote side for them to import
  13. Continue configuring the rest of the VPN as you would any other VPN (leaving out the PSK)
  14. Push the policy

Notes:

  • This is best used for dynamic IP devices such as Safe@Office devices
  • These steps assume the Management Server is not also managing the remote dynamic IP gateways although the steps are not much different

[ # ]

/usr/bin/passwd <username>

Notes:

  • 'passwd ' is a special script by Checkpoint and does not work for changing passwords

[ # ]

fw log -l -t -n <log file>

Notes:

  • The log file is optional. Defaults to $FWDIR/log/fw.log.
  • If all logging connections are active, the firewall is unlikely to be logging locally. This command only works when the device is logging locally.
  • -n - Do not perform DNS resolution
  • -f -t - Similar to 'tail -f' on the file

[ # ]